> From: [email protected] [mailto:[email protected]] On Behalf Of > Daniel Roesen > On Sun, Jul 17, 2011 at 04:09:29PM +0000, Christian Huitema wrote: >> The basic idea is that remote parties should only be sending to >> addresses that have already been discovered in the local subnet. > > Breaks with any VRRP setup.
VRPP is probably a special case of a router losing its memory... In any case, as Ray Hunter noted, you need to somehow "tell good from bad" if you want to filter effectively. My suggestion is that an address from which traffic has been sourced locally is more likely to be "good" than an address that appears for the first time in a packet coming from afar. This is effectively the property used by most stateful firewalls, so there is some operational experience with that. There are indeed a few issues, e.g. the local server who expects remote TCP connections but remains otherwise silent, or the router that was just rebooted, or swapped in, and has no idea about the current working set. The solution to the server issue has to be some kind of keep-alive, e.g. with ND. The solution to the "router with no memory" is probably a looser control during a "learning" period, possibly combined with some form of fast ND refresh. Of course, there are no good solutions against a local host who is actively trying to DOS a local router. Keith pointed out that local hosts can generate as many MAC addresses as they want... But then, there are meatspace solutions to this kind of things. -- Christian Huitema -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
